The security assessment is a point in time snapshot of your AWS cloud infrastructure posture, which provides you insight to your environment security. The assessment is conducted by querying your environment’s infrastructure using AWS management read-only APIs. In addition to assessing infrastructure configurations and some access perspectives, CCOE architects inspect the processes you are implementing to manage your infrastructure and security.

Focus areas

• Misconfiguration of AWS resources/services which may increase your environment attack surface. The resources configuration is checked against industry standards (CIS v1.4.0, NIST SP 800-53 Rev. 5, AWS FSBP). (!) This will be done on a single specific account of the customer selection.
• Over permissive entitlements which should be reviewed and reconsidered. For example: External access for third parties to S3 bucket, or a cross account role to a sensitive account, etc. Service roles of EC2 instances (IAM Instance Profile), EKS clusters (OIDC), and Lambda functions (execution roles). (!) This will be done on a single specific account of the customer selection.
• Development and deployment procedures: Security of the deployment pipeline and security in the pipeline. Architecture security review process.
• Tools and Processes around the following pillars: Cloud Security Posture Management, Cloud Infrastructure Entitlement Management, Incident Management (detection and response), and Incident response readiness.

Ideal for

Understanding your environment security posture is a crucial step towards mitigating risks and harming your environment security, thus, it is a mandate that the assessment should be desired by any organization who consumes the AWS cloud for either production or lower level environments. If you are not comfortable with your environment protection level, consider to assess your posture.

Key Activities

1. Establish the engagement with an introduction between the team and an overview of the assessment process.
2. Initial discovery - CCOE architects will work with you to understand which areas to focus the assessment is on, and validate the best approach to run the assessment tools.
3. Set up required access and/or deployment of assessment tools (according to customer environment and business requirements).
4. Run the assessment: Running automation tools and scripts. Interviewing platform engineering, security operations, and enterprise architecture teams.
5. Delivering and presenting the final report.

Cost

The assessment is delivered by CCOE for free, however, the automation procedures and services within the AWS cloud might incur some cost, by AWS services, depending on the chosen delivery method.

Timeframe

Depending on the availability of the customer, the size of the environment and optional restrictions/limitations in the environment, running the assessment might last between a week to few weeks. Once data is collected allow a week for the delivery of the final report.

Outcomes

By the end of this engagement you will get a thorough report of your AWS cloud environment infrastructure security posture, including tailored recommendations for improving your environment security.